test in the non-FIPS RSA keygen for minimal distance of p and q
similarly to the FIPS RSA keygen
This commit is contained in:
Tomas Mraz
parent
7e7e3f299f
commit
6a450be963
25
openssl-1.0.1e-cc-reqs.patch
Normal file
25
openssl-1.0.1e-cc-reqs.patch
Normal file
@ -0,0 +1,25 @@
|
||||
diff -up openssl-1.0.1e/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.0.1e/crypto/rsa/rsa_gen.c
|
||||
--- openssl-1.0.1e/crypto/rsa/rsa_gen.c.cc-reqs 2015-01-13 12:45:51.000000000 +0100
|
||||
+++ openssl-1.0.1e/crypto/rsa/rsa_gen.c 2015-01-15 17:35:04.649697922 +0100
|
||||
@@ -438,6 +438,10 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
if(!rsa->dmq1 && ((rsa->dmq1=BN_new()) == NULL)) goto err;
|
||||
if(!rsa->iqmp && ((rsa->iqmp=BN_new()) == NULL)) goto err;
|
||||
|
||||
+ /* prepare minimum p and q difference */
|
||||
+ if (!BN_one(r3)) goto err;
|
||||
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100)) goto err;
|
||||
+
|
||||
BN_copy(rsa->e, e_value);
|
||||
|
||||
/* generate p and q */
|
||||
@@ -463,7 +467,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||
{
|
||||
if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
||||
goto err;
|
||||
- } while((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
|
||||
+ if (!BN_sub(r2, rsa->q, rsa->p))
|
||||
+ goto err;
|
||||
+ } while((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
|
||||
if(degenerate == 3)
|
||||
{
|
||||
ok = 0; /* we set our own err */
|
||||
12
openssl.spec
12
openssl.spec
@ -23,7 +23,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1k
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -88,7 +88,8 @@ Patch80: openssl-1.0.1j-evp-wrap.patch
|
||||
Patch81: openssl-1.0.1k-padlock64.patch
|
||||
Patch84: openssl-1.0.1k-trusted-first.patch
|
||||
Patch85: openssl-1.0.1e-arm-use-elf-auxv-caps.patch
|
||||
Patch89: openssl-1.0.1k-ephemeral-key-size.patch
|
||||
Patch86: openssl-1.0.1k-ephemeral-key-size.patch
|
||||
Patch87: openssl-1.0.1e-cc-reqs.patch
|
||||
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
@ -210,7 +211,8 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||
%patch81 -p1 -b .padlock64
|
||||
%patch84 -p1 -b .trusted-first
|
||||
%patch85 -p1 -b .armcap
|
||||
%patch89 -p1 -b .ephemeral
|
||||
%patch86 -p1 -b .ephemeral
|
||||
%patch87 -p1 -b .cc-reqs
|
||||
|
||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||
|
||||
@ -478,6 +480,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Jan 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-2
|
||||
- test in the non-FIPS RSA keygen for minimal distance of p and q
|
||||
similarly to the FIPS RSA keygen
|
||||
|
||||
* Fri Jan 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-1
|
||||
- new upstream release fixing multiple security issues
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user